2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved.
7 * This code is derived from software contributed to Berkeley by
8 * Rick Macklem at The University of Guelph.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include "opt_inet6.h"
40 #include "opt_kgssapi.h"
41 #include "opt_kern_tls.h"
43 #include <fs/nfs/nfsport.h>
46 #include <rpc/rpcsec_gss.h>
47 #include <rpc/rpcsec_tls.h>
49 #include <fs/nfsserver/nfs_fha_new.h>
51 #include <security/mac/mac_framework.h>
55 char *nfsrv_zeropnfsdat = NULL;
58 * Mapping of old NFS Version 2 RPC numbers to generic numbers.
60 int newnfs_nfsv3_procid[NFS_V3NPROCS] = {
85 SYSCTL_DECL(_vfs_nfsd);
87 NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 0;
88 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN,
89 &NFSD_VNET_NAME(nfs_privport), 0,
90 "Only allow clients using a privileged port for NFSv2, 3 and 4");
92 NFSD_VNET_DEFINE_STATIC(int, nfs_minvers) = NFS_VER2;
93 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_min_nfsvers,
94 CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, &NFSD_VNET_NAME(nfs_minvers), 0,
95 "The lowest version of NFS handled by the server");
97 NFSD_VNET_DEFINE_STATIC(int, nfs_maxvers) = NFS_VER4;
98 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_max_nfsvers,
99 CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN, &NFSD_VNET_NAME(nfs_maxvers), 0,
100 "The highest version of NFS handled by the server");
102 static int nfs_proc(struct nfsrv_descript *, u_int32_t, SVCXPRT *xprt,
103 struct nfsrvcache **);
105 extern u_long sb_max_adj;
106 extern int newnfs_numnfsd;
107 extern time_t nfsdev_time;
108 extern int nfsrv_writerpc[NFS_NPROCS];
109 extern volatile int nfsrv_devidcnt;
110 extern struct nfsv4_opflag nfsv4_opflag[NFSV42_NOPS];
111 extern int nfsd_debuglevel;
113 NFSD_VNET_DECLARE(struct proc *, nfsd_master_proc);
115 NFSD_VNET_DEFINE(SVCPOOL *, nfsrvd_pool);
116 NFSD_VNET_DEFINE(int, nfsrv_numnfsd) = 0;
117 NFSD_VNET_DEFINE(struct nfsv4lock, nfsd_suspend_lock);
119 NFSD_VNET_DEFINE_STATIC(bool, nfsrvd_inited) = false;
122 * NFS server system calls
126 nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
128 struct nfsrv_descript nd;
129 struct nfsrvcache *rp = NULL;
130 rpc_gss_rawcred_t *rcredp;
131 int cacherep, credflavor, i, j;
137 NFSD_CURVNET_SET_QUIET(NFSD_TD_TO_VNET(curthread));
138 memset(&nd, 0, sizeof(nd));
139 if (rqst->rq_vers == NFS_VER2) {
140 if (rqst->rq_proc > NFSV2PROC_STATFS ||
141 newnfs_nfsv3_procid[rqst->rq_proc] == NFSPROC_NOOP) {
146 nd.nd_procnum = newnfs_nfsv3_procid[rqst->rq_proc];
147 nd.nd_flag = ND_NFSV2;
148 } else if (rqst->rq_vers == NFS_VER3) {
149 if (rqst->rq_proc >= NFS_V3NPROCS) {
154 nd.nd_procnum = rqst->rq_proc;
155 nd.nd_flag = ND_NFSV3;
157 if (rqst->rq_proc != NFSPROC_NULL &&
158 rqst->rq_proc != NFSV4PROC_COMPOUND) {
163 nd.nd_procnum = rqst->rq_proc;
164 nd.nd_flag = ND_NFSV4;
168 * Note: we want rq_addr, not svc_getrpccaller for nd_nam2 -
169 * NFS_SRVMAXDATA uses a NULL value for nd_nam2 to detect TCP
172 nd.nd_mrep = rqst->rq_args;
173 rqst->rq_args = NULL;
174 newnfs_realign(&nd.nd_mrep, M_WAITOK);
175 nd.nd_md = nd.nd_mrep;
176 nd.nd_dpos = mtod(nd.nd_md, caddr_t);
177 nd.nd_nam = svc_getrpccaller(rqst);
178 nd.nd_nam2 = rqst->rq_addr;
182 if (NFSD_VNET(nfs_privport) != 0) {
183 /* Check if source port is privileged */
185 struct sockaddr *nam = nd.nd_nam;
186 struct sockaddr_in *sin;
188 sin = (struct sockaddr_in *)nam;
190 * INET/INET6 - same code:
191 * sin_port and sin6_port are at same offset
193 port = ntohs(sin->sin_port);
194 if (port >= IPPORT_RESERVED &&
195 nd.nd_procnum != NFSPROC_NULL) {
197 char buf[INET6_ADDRSTRLEN];
199 char buf[INET_ADDRSTRLEN];
202 #if defined(KLD_MODULE)
203 /* Do not use ip6_sprintf: the nfs module should work without INET6. */
204 #define ip6_sprintf(buf, a) \
205 (sprintf((buf), "%x:%x:%x:%x:%x:%x:%x:%x", \
206 (a)->s6_addr16[0], (a)->s6_addr16[1], \
207 (a)->s6_addr16[2], (a)->s6_addr16[3], \
208 (a)->s6_addr16[4], (a)->s6_addr16[5], \
209 (a)->s6_addr16[6], (a)->s6_addr16[7]), \
213 printf("NFS request from unprivileged port (%s:%d)\n",
215 sin->sin_family == AF_INET6 ?
216 ip6_sprintf(buf, &satosin6(sin)->sin6_addr) :
217 #if defined(KLD_MODULE)
221 inet_ntoa_r(sin->sin_addr, buf), port);
222 svcerr_weakauth(rqst);
229 if (nd.nd_procnum != NFSPROC_NULL) {
230 if (!svc_getcred(rqst, &nd.nd_cred, &credflavor)) {
231 svcerr_weakauth(rqst);
237 /* Set the flag based on credflavor */
238 if (credflavor == RPCSEC_GSS_KRB5) {
239 nd.nd_flag |= ND_GSS;
240 } else if (credflavor == RPCSEC_GSS_KRB5I) {
241 nd.nd_flag |= (ND_GSS | ND_GSSINTEGRITY);
242 } else if (credflavor == RPCSEC_GSS_KRB5P) {
243 nd.nd_flag |= (ND_GSS | ND_GSSPRIVACY);
244 } else if (credflavor != AUTH_SYS) {
245 svcerr_weakauth(rqst);
251 /* Acquire the principal name for the RPCSEC_GSS cases. */
252 if ((nd.nd_flag & (ND_NFSV4 | ND_GSS)) == (ND_NFSV4 | ND_GSS)) {
254 rpc_gss_getcred_call(rqst, &rcredp, NULL, NULL);
256 * The exported principal name consists of:
257 * - TOK_ID bytes with value of 4 and 1.
258 * - 2 byte mech length
260 * - 4 byte principal name length
262 * A call to gss_import_name() would be an
263 * upcall to the gssd, so parse it here.
264 * See lib/libgssapi/gss_import_name.c for the
267 if (rcredp != NULL &&
268 rcredp->client_principal->len > 4 &&
269 rcredp->client_principal->name[0] == 4 &&
270 rcredp->client_principal->name[1] == 1) {
271 /* Skip over the mech. */
272 p = &rcredp->client_principal->name[2];
273 i = (p[0] << 8) | p[1];
277 * Set "j" to a bogus length so that the
278 * "i + j" check will fail unless the below
279 * code sets "j" correctly.
281 j = rcredp->client_principal->len;
282 if (rcredp->client_principal->len > i + 4) {
283 j = (p[0] << 24) | (p[1] << 16) |
288 if (i + j == rcredp->client_principal->len) {
289 nd.nd_principal = malloc(j + 1, M_TEMP,
292 memcpy(nd.nd_principal, p, j);
293 nd.nd_principal[j] = '\0';
294 NFSD_DEBUG(1, "nfssvc_program: "
295 "principal=%s\n", nd.nd_principal);
298 if (nd.nd_princlen == 0)
299 printf("nfssvc_program: cannot get RPCSEC_GSS "
303 if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0) {
304 nd.nd_flag |= ND_TLS;
305 if ((xprt->xp_tls & RPCTLS_FLAGS_VERIFIED) != 0)
306 nd.nd_flag |= ND_TLSCERT;
307 if ((xprt->xp_tls & RPCTLS_FLAGS_CERTUSER) != 0)
308 nd.nd_flag |= ND_TLSCERTUSER;
310 nd.nd_maxextsiz = 16384;
312 mac_cred_associate_nfsd(nd.nd_cred);
315 * Get a refcnt (shared lock) on nfsd_suspend_lock.
316 * NFSSVC_SUSPENDNFSD will take an exclusive lock on
317 * nfsd_suspend_lock to suspend these threads.
318 * The call to nfsv4_lock() that precedes nfsv4_getref()
319 * ensures that the acquisition of the exclusive lock
320 * takes priority over acquisition of the shared lock by
321 * waiting for any exclusive lock request to complete.
322 * This must be done here, before the check of
323 * nfsv4root exports by nfsvno_v4rootexport().
325 NFSLOCKV4ROOTMUTEX();
326 nfsv4_lock(&NFSD_VNET(nfsd_suspend_lock), 0, NULL,
327 NFSV4ROOTLOCKMUTEXPTR, NULL);
328 nfsv4_getref(&NFSD_VNET(nfsd_suspend_lock), NULL,
329 NFSV4ROOTLOCKMUTEXPTR, NULL);
330 NFSUNLOCKV4ROOTMUTEX();
332 if ((nd.nd_flag & ND_NFSV4) != 0) {
333 nd.nd_repstat = nfsvno_v4rootexport(&nd);
334 if (nd.nd_repstat != 0) {
335 NFSLOCKV4ROOTMUTEX();
336 nfsv4_relref(&NFSD_VNET(nfsd_suspend_lock));
337 NFSUNLOCKV4ROOTMUTEX();
338 svcerr_weakauth(rqst);
346 if ((xprt->xp_tls & RPCTLS_FLAGS_HANDSHAKE) != 0 &&
347 rpctls_getinfo(&maxlen, false, false))
348 nd.nd_maxextsiz = maxlen;
350 cacherep = nfs_proc(&nd, rqst->rq_xid, xprt, &rp);
351 NFSLOCKV4ROOTMUTEX();
352 nfsv4_relref(&NFSD_VNET(nfsd_suspend_lock));
353 NFSUNLOCKV4ROOTMUTEX();
356 nd.nd_mreq->m_len = 0;
359 if (nd.nd_mrep != NULL)
362 if (nd.nd_cred != NULL)
365 if (cacherep == RC_DROPIT) {
366 if (nd.nd_mreq != NULL)
372 if (nd.nd_mreq == NULL) {
378 if (nd.nd_repstat & NFSERR_AUTHERR) {
379 svcerr_auth(rqst, nd.nd_repstat & ~NFSERR_AUTHERR);
380 if (nd.nd_mreq != NULL)
382 } else if (!svc_sendreply_mbuf(rqst, nd.nd_mreq)) {
383 svcerr_systemerr(rqst);
386 nfsrvd_sentcache(rp, (rqst->rq_reply_seq != 0 ||
387 SVC_ACK(xprt, NULL)), rqst->rq_reply_seq);
392 free(nd.nd_principal, M_TEMP);
393 NFSD_CURVNET_RESTORE();
394 ast_kclear(curthread);
399 * Check the cache and, optionally, do the RPC.
400 * Return the appropriate cache response.
403 nfs_proc(struct nfsrv_descript *nd, u_int32_t xid, SVCXPRT *xprt,
404 struct nfsrvcache **rpp)
406 int cacherep = RC_DOIT, isdgram, taglen = -1;
408 u_char tag[NFSV4_SMALLSTR + 1], *tagstr = NULL;
409 u_int32_t minorvers = 0;
413 if (nd->nd_nam2 == NULL) {
414 nd->nd_flag |= ND_STREAMSOCK;
422 * 1 - For NFSv2 over UDP, if we are near our malloc/mget
423 * limit, just drop the request. There is no
424 * NFSERR_RESOURCE or NFSERR_DELAY for NFSv2 and the
425 * client will timeout/retry over UDP in a little while.
426 * 2 - nd_repstat == 0 && nd_mreq == NULL, which
427 * means a normal nfs rpc, so check the cache
429 if ((nd->nd_flag & ND_NFSV2) && nd->nd_nam2 != NULL &&
430 nfsrv_mallocmget_limit()) {
431 cacherep = RC_DROPIT;
434 * For NFSv3, play it safe and assume that the client is
435 * doing retries on the same TCP connection.
437 if ((nd->nd_flag & (ND_NFSV4 | ND_STREAMSOCK)) ==
439 nd->nd_flag |= ND_SAMETCPCONN;
441 nd->nd_tcpconntime = NFSD_MONOSEC;
442 nd->nd_sockref = xprt->xp_sockref;
443 if ((nd->nd_flag & ND_NFSV4) != 0)
444 nfsd_getminorvers(nd, tag, &tagstr, &taglen,
446 if ((nd->nd_flag & ND_NFSV41) != 0)
447 /* NFSv4.1 caches replies in the session slots. */
450 cacherep = nfsrvd_getcache(nd);
453 nfsrc_trimcache(xprt->xp_sockref, ack, 0);
458 * Handle the request. There are three cases.
459 * RC_DOIT - do the RPC
460 * RC_REPLY - return the reply already created
461 * RC_DROPIT - just throw the request away
463 if (cacherep == RC_DOIT) {
464 if ((nd->nd_flag & ND_NFSV41) != 0)
466 nfsrvd_dorpc(nd, isdgram, tagstr, taglen, minorvers);
467 if ((nd->nd_flag & ND_NFSV41) != 0) {
468 if (nd->nd_repstat != NFSERR_REPLYFROMCACHE &&
469 (nd->nd_flag & ND_SAVEREPLY) != 0) {
470 /* Cache a copy of the reply. */
471 m = m_copym(nd->nd_mreq, 0, M_COPYALL,
475 if ((nd->nd_flag & ND_HASSEQUENCE) != 0)
476 nfsrv_cache_session(nd, &m);
477 if (nd->nd_repstat == NFSERR_REPLYFROMCACHE) {
480 m_freem(nd->nd_mreq);
486 if (nd->nd_repstat == NFSERR_DONTREPLY)
487 cacherep = RC_DROPIT;
490 *rpp = nfsrvd_updatecache(nd);
493 if (tagstr != NULL && taglen > NFSV4_SMALLSTR)
494 free(tagstr, M_TEMP);
501 nfssvc_loss(SVCXPRT *xprt)
507 NFSD_CURVNET_SET(NFSD_TD_TO_VNET(curthread));
508 nfsrc_trimcache(xprt->xp_sockref, ack, 1);
509 NFSD_CURVNET_RESTORE();
513 * Adds a socket to the list for servicing by nfsds.
516 nfsrvd_addsock(struct file *fp)
522 static u_int64_t sockref = 0;
527 error = soreserve(so, siz, siz);
532 * Steal the socket from userland so that it doesn't close
535 if (so->so_type == SOCK_DGRAM)
536 xprt = svc_dg_create(NFSD_VNET(nfsrvd_pool), so, 0, 0);
538 xprt = svc_vc_create(NFSD_VNET(nfsrvd_pool), so, 0, 0);
540 fp->f_ops = &badfileops;
542 xprt->xp_sockref = ++sockref;
543 if (NFSD_VNET(nfs_minvers) == NFS_VER2)
544 svc_reg(xprt, NFS_PROG, NFS_VER2, nfssvc_program,
546 if (NFSD_VNET(nfs_minvers) <= NFS_VER3 &&
547 NFSD_VNET(nfs_maxvers) >= NFS_VER3)
548 svc_reg(xprt, NFS_PROG, NFS_VER3, nfssvc_program,
550 if (NFSD_VNET(nfs_maxvers) >= NFS_VER4)
551 svc_reg(xprt, NFS_PROG, NFS_VER4, nfssvc_program,
553 if (so->so_type == SOCK_STREAM)
554 svc_loss_reg(xprt, nfssvc_loss);
565 * Called by nfssvc() for nfsds. Just loops around servicing rpc requests
566 * until it is killed by a signal.
569 nfsrvd_nfsd(struct thread *td, struct nfsd_nfsd_args *args)
571 char principal[MAXHOSTNAMELEN + 5];
574 bool_t ret2, ret3, ret4;
576 error = copyinstr(args->principal, principal, sizeof (principal),
582 * Only the first nfsd actually does any work. The RPC code
583 * adds threads to it as needed. Any extra processes offered
584 * by nfsd just exit. If nfsd is new enough, it will call us
585 * once with a structure that specifies how many threads to
589 if (NFSD_VNET(nfsrv_numnfsd) == 0) {
590 nfsdev_time = time_second;
593 p->p_flag2 |= P2_AST_SU;
595 newnfs_numnfsd++; /* Total num for all vnets. */
596 NFSD_VNET(nfsrv_numnfsd)++; /* Num for this vnet. */
599 error = nfsrv_createdevids(args, td);
601 /* An empty string implies AUTH_SYS only. */
602 if (principal[0] != '\0') {
603 ret2 = rpc_gss_set_svc_name_call(principal,
604 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG,
606 ret3 = rpc_gss_set_svc_name_call(principal,
607 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG,
609 ret4 = rpc_gss_set_svc_name_call(principal,
610 "kerberosv5", GSS_C_INDEFINITE, NFS_PROG,
613 if (!ret2 || !ret3 || !ret4)
614 printf("nfsd: can't register svc "
615 "name %s jid:%d\n", principal,
616 td->td_ucred->cr_prison->pr_id);
619 NFSD_VNET(nfsrvd_pool)->sp_minthreads =
621 NFSD_VNET(nfsrvd_pool)->sp_maxthreads =
625 * If this is a pNFS service, make Getattr do a
626 * vn_start_write(), so it can do a vn_set_extattr().
628 if (nfsrv_devidcnt > 0) {
629 nfsrv_writerpc[NFSPROC_GETATTR] = 1;
630 nfsv4_opflag[NFSV4OP_GETATTR].modifyfs = 1;
633 svc_run(NFSD_VNET(nfsrvd_pool));
635 /* Reset Getattr to not do a vn_start_write(). */
636 nfsrv_writerpc[NFSPROC_GETATTR] = 0;
637 nfsv4_opflag[NFSV4OP_GETATTR].modifyfs = 0;
639 if (principal[0] != '\0') {
640 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER2);
641 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER3);
642 rpc_gss_clear_svc_name_call(NFS_PROG, NFS_VER4);
647 NFSD_VNET(nfsrv_numnfsd)--;
650 p->p_flag2 &= ~P2_AST_SU;
661 * Initialize the data structures for the server.
662 * Handshake with any new nfsds starting up to avoid any chance of
666 nfsrvd_init(int terminating)
672 NFSD_VNET(nfsd_master_proc) = NULL;
674 nfsrv_freealllayoutsanddevids();
675 nfsrv_freeallbackchannel_xprts();
676 svcpool_close(NFSD_VNET(nfsrvd_pool));
677 free(nfsrv_zeropnfsdat, M_TEMP);
678 nfsrv_zeropnfsdat = NULL;
681 /* Initialize per-vnet globals once per vnet. */
682 if (NFSD_VNET(nfsrvd_inited))
684 NFSD_VNET(nfsrvd_inited) = true;
686 NFSD_VNET(nfsrvd_pool) = svcpool_create("nfsd",
687 SYSCTL_STATIC_CHILDREN(_vfs_nfsd));
688 NFSD_VNET(nfsrvd_pool)->sp_rcache = NULL;
689 NFSD_VNET(nfsrvd_pool)->sp_assign = fhanew_assign;
690 NFSD_VNET(nfsrvd_pool)->sp_done = fhanew_nd_complete;